Terms in this set (153)

  • Security Controls Assessment
    The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorization
    The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
  • Reciprocity
    Mutual agreement among participating organizations to accept each other's security assessments in order to reuse information system resources, and/or to accept each other's assessed security posture in order to share information .
  • Information System
    A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
  • General Support System (GSS )
    An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people .
  • Major Application
    An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources
  • Minor Application
    An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically ncluded as part of a general support system.
  • Adequate Security
    Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
  • Risk Management
    -The conduct of a risk assessment; •The implementation of a risk mitigation strategy; and •Employment of techniques and procedures for the continuous monitoring of the security state of the information system
  • Authorization Boundary/ information system boundary
    All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected
  • Subsystem
    A major subdivision of an information system consisting of information, information technology, and personnel that performs one or more specific functions
  • Dynamic Subsystem
    A subsystem that is not continually present during the execution phase of an information system. Service -oriented architectures and cloud computing architectures are examples of architectures that employ dynamic subsystems.
  • External Subsystem
    A system that would be considered outside of the direct control of the organization that owns the information system and authorizes its operation.
  • high water mark
    System information must be protected at a level consistent with the most crucial or sensitive user information being processed, stored, or transmitted by the information system to ensure confidentiality, integrity, and availability
  • Management Controls
    The security controls for an information system that focus on the management of risk and information system security.
  • Operational Controls
    The security controls for an information system that are primarily implemented and executed by people. Processes, checklists, manuals, etc.
  • Technical Controls
    The security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system HW, SW,FW.
  • Risk management
    •Multi-tier Organization-Wide Risk Management •Implemented by the Risk Executive Function •Tightly coupled to Enterprise Architecture and Information Security Architecture •System Development Lifecycle Focus •Disciplined and Structured Process •Flexible and Agile Implementation
  • Risk Management Tier 1
    Organization (Governance) •Addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization -wide risk management strategy
  • Risk Management Tier 2
    Mission (Business Process) •Addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1 •Associated with Enterprise Architecture
  • Risk Management Tier 3
    Information System (Environment of Operations) •Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures at the information system level.
  • RMF Security Life Cycle (FIPS 199/SP 800-60)
    CATEGORIZE Information System SELECT Security Controls IMPLEMENT Security Controls ASSESS Security Controls AUTHORIZE Information System MONITOR Security State
  • RMF CATEGORIZE IS (FIPS 199/SP 800-60)
    Define criticality/sensitivity of information system according to potential worst -case, adverse impact to mission/business Categorize the information and information system
  • RMF SELECT Security Controls (FIPS 200/SP 800-53)
    Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment Select an initial baseline of security controls, and tailor and supplement as needed based on risk and local conditions Deliverable is your PLAN.
  • RMF IMPLEMENT Security Controls SP 800-70
    Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings Implement the security controls in the information system.
  • RMF ASSESS Security Controls SP 800-53A
    Determine security control effectiveness (i.e ., controls implemented correctly, operating as intended, meeting security requirements for information system) Assess the security controls in the information system Deliverable is an assessment report
  • RMF AUTHORIZE Information System SP 800-37
    Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation Authorize with a POA&M because we're going to continually monitor the system and make sure the controls stay in place. Deliverable is POA&M
  • RMF MONITOR Security State SP 800-37/SP 800-53A
    Continuously track changes to the information system that may affect security controls and reassess control effectiveness Monitor and assess the security controls in the information system
  • OMB Circular A-130
    dictates how federal information systems are protected.
  • CIO
    highest level Responsible for ensuring •Information security management processes are integrated with strategic and operational planning processes •Senior officials, within the organization, provide information security for the information systems that support the operations and assets under their control •Organization has trained personnel sufficient to assist in complying with the information security requirements in related legislation, policies, directives, instructions, standards, and guidelines Organizational official responsible for •Designating a senior agency information security officer •Developing and maintaining information security policies, procedures, and control techniques to address all requirements —Training and overseeing personnel with significant responsibilities for information security •Assisting senior officials regarding their security responsibilities •Reporting annually to the head of the federal agency on the overall effectiveness of the information security program including progress of remedial actions, in coordination with other senior officials
  • Risk Executive (Function)
    Helps to ensure that risk -related considerations from individual information systems are viewed from an organization -wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions •Ensures that risks from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risk in order to ensure mission and business success
  • Senior Information Security Officer (SISO)
    The head of the organization's information security program office and serves as the CIO's liaison to the Information System Owners, Authorizing Officials, and ISSOsIn many organizations, the SISO is known as the Chief Information Security Officer (CISO)
  • Authorizing Official (AO)
    Responsible for making the final decision on whether or not to authorize a system to operate •This decision cannot be delegated. Issues ATO
  • Authorizing Official Designated Representative
    An individual acting on the authorizing official's behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system
  • Information Owners/Steward
    Have stationary, management, or operational authority for specified information •Responsible for creating the policies and procedures governing its generation, collection, processing, dissemination, and disposal •Provides input to the information system owners regarding the security requirements and security controls for how information is processed, stored, or transmitted
  • Information System Owners
    Responsible for the overall procurement, development, integration, modification, operation, maintenance, and disposal of an information system
  • Information System Security Officers (ISSO)
    Helps assure the appropriate operational security posture is maintained for an information system Serves as a principal advisor to their organization on all matters involving the security of an information system
  • Information System Security Architect
    As changes occur in the existing system environment, these security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their systems
  • Information System Security Engineers
    Responsible for conducting information system security engineering activities Information system security engineering is a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration
  • Security Control Assessor
    Responsible for conducting a complete assessment of the management, operational, and technical security controls utilized within or inherited by an information system Provide an assessment of the severity of weaknesses discovered in the information system and recommend corrective actions to address identified vulnerabilities Prepare the final Security Assessment Report containing the results and findings from the assessment Should be independent of those responsible for correcting deficiencies
  • Common Control Providers
    An individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems) Common control providers are responsible for •Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization) •Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization •Documenting assessment findings in a security assessment report • Producing a plan of action and milestones for all controls having weaknesses or deficiencies
  • Information Technology Security Practitioners
    Responsible for accurate implementation of security requirements in their respective information systems DBs, security consultatints, security analysts)
  • Benefits of Organizational Risk Management
    •Prioritize information security requirements and allocation of information security resources •Develop continuous and cost -effective organization -wide solutions to information security problems •Consolidate and reform security solutions to —Simplify management —Enhance interoperability and communication between disseminated IS •Ensure information security concerns are integrated into the enterprise architecture, the acquisition process and system development life cycles —Save the organization time and money
  • Federal Enterprise Architecture (FEA)
    created by OMB aimed to facilitate efforts ensuring federal government mission and business processes are market -based and help improve citizen services. The Risk Management Framework (RMF) supports the FEA incorporating management processes, shared services, conventional solutions, and information sharing to provide a greater degree of security, confidentiality, dependability, and cost effectiveness for core missions and business functions being carried out by organizations
  • SDLC
    Initiation Acquisition/Development Implementation/Assessment Operations/Maintenance Sunset (Disposal)
  • SDLC - RMF
    Initiation (RMF Steps 1 &2) Acquisition/Development (RMF Step 2) Implementation/Assessment (RMF Steps 3-5) Operations/Maintenance (RMF Step 6) Sunset (Disposal) - (RMF Step 6)
  • SDLC Step 1 (Initiation)
    Initial Risk Assessment should be conducted Identification of Information System Security Officer (ISSO) Security Categorization should take place such as applying the provisions of the following Standards
  • SDLC Step 2 (Acquisition-Development)
    Risk Assessment Security Functional Requirement Analysis Security Assurance Requirements Analysis Cost Considerations and Reporting Security Planning Security Control Development Developmental Security Test and Evaluation Functional Stmt of Need Feasibility study Requirements Analysis Alternatives Analysis Cost Benefit Analysis Risk Management Plan Acquisition Planning
  • SDLC Step 3 (Implementation)
    Installation Inspection and Acceptance System Integration Security Accreditation decision User training Documentation
  • SDLC Step 4 (Operations/Maintenance)
    Performance Measurement Maintenance CCM Continuous MOnitoring
  • SDLC Step 5 (Disposition)
    Information Preservation Media Sanatization HW/SW Disposal Contract Closeout
  • OMB
    OMB makes sure finding exists for congresses' legislationn and says how its going to be implement (sets the standards)
  • Committee on National Security Systems (CNSS)
    National Security Systems. Leverages NIST controls to support reciprocity. Federal and non-national systems use NIST
  • Executive order 13231
    public-private partnerships OMB increased responsibillity Created NIPB (national INfrastructure Protection Board) formerly CIPB (Critical) Created NSTAC (national security telecommunications advisory committee)
  • CNSS
    Provides a forum for the discussion of policy issues •Sets policy •Promulgates direction, operational procedures and guidance for National Security Systems (NSS
  • Committee on National Security Systems Policy (CNSSP)
    This Committee on National Security Systems Policy (CNSSP) establishes the requirements for enterprise IA risk management within the national security community, which requires a holistic view of the IA risks to National Security Systems (NSS) operating within the enterprise using disciplined processes, methods, and tools.
  • Committee on National Security Systems Instruction (CNSSI)
    This Committee on National Security Systems Instruction (CNSSI) provides all Federal Government departments, agencies, bureaus, and offices with a process for security categorization of National Security Systems (NSS) that collect, generate, process, store, display, transmit, or receive National Security Information
  • Homeland Security Presidential Directive / HSPD
    Policy of the U.S. to enhance the protection of our Nation's critical infrastructure against terrorist acts... and will continue to serve as a focal point for the security of cyberspace
  • FISMA - Title III of the e - Government Act is the Federal Information Security Management Act
    requires federal agencies to provide security for the information and information systems that support the organization
  • FISMA requires:
    •Provide information security protections corresponding with the assessed risk •Ensure senior leaders provide information security for assets under their control •Ensure the organization has trained personnel to assist in complying with FISMA and related policies •Ensure the CIO reports annually on the effectiveness of the organization's information security program •Develop, document, and implement an information security program •Develop and maintain an inventory of information systems under the control of the organizatio
  • Office of Management and Budget (OMB) Circular A-130
    Requires executive agencies within the federal government to — Plan for security —Ensure that appropriate officials are assigned security responsibility —Review the security controls in their information systems —Authorize system processing prior to operations and periodically thereafter Holds senior officials responsible for security, not just security personnel
  • OMB M-00-13
    Agencies are to post clear Privacy Policies on agency websites.
  • OMB M-02-01
    Guidance for Preparing and Submitting Security Plans of Action and Milestones (POA&M)
  • POA&Ms contain
    Weaknesses —POC —Resources Required —Scheduled Completion Date —Milestones with Completion Dates —Changes to Milestones —Identified in CFO Audit or Other Review? —Current Status
  • Privacy Act of 1974 (Update 2004)
    Act focuses on four basic policy objectives •Restrict disclosure of PII maintained by agencies •Increase individuals rights of access to agency records •Grant individuals the right to seek amendment if not accurate •Establish a code of "fair information practices"
  • clinger-cohen
    paperwork reduction
  • FIPS
    Mandatory standards to be used by all federal agencies
  • Special Publications (SPs) - the SP 800 series
    Established in 1990 to provide a separate identity for information technology security publications
  • FIPS Publication 199 (Standards for Security Categorization of Federal Information and Information Systems)
    Security Categorization: (usually based on duration) Low (limited impact, minor degradation to mission), Moderate (serious, significant degradation to mission), up to 48 hours outage High (catastrophic, severe degradation to mission), over 48 hours outage - Defines the high water mark (highest sensitivity and criticality) and defines overall system security categorization -Categorization is based on Potential Impact to Security Objectives. (CIA) Highest for any of the C-I-A triad is the categorization level.
  • FIPS Publication 200
    Minimum Security Requirements:Promotes the development, implementation, and operation of more secure information systems •Establishes minimum levels of due diligence for information security •Facilitates a more consistent, comparable, and repeatable approach for selecting and specifying security controls
  • NIST SP 800 - 18
    Security Planning/Guide for Developing Security Plans, System security plan template
  • NIST SP 800 - 30
    Risk Assessment : The purpose of SP 800-30 is now to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in SP 800-39 on risk management
  • NIST SP 800 - 37
    Risk Management Framework : Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach Guidelines developed •To ensure that managing information system security risks is consistent with the organization's objectives and overall risk strategy •To ensure that information security requirements are integrated into the organization's enterprise architecture and SDLC •To support consistent and ongoing security authorization decisions •To achieve more secure information and information systems through the implementation of appropriate risk mitigation strategies
  • NIST SP 800 - 39
    Risk Management : Provides guidelines for managing risk at the organizational, mission/business, and information system level •Provides a structured, yet flexible approach for managing risk •Contains the definitions and the practical guidance for responding to and monitoring risks
  • NIST SP 800 - 53
    Recommended Security Controls : Provides guidelines for selecting and specifying security controls for information systems •Helps achieve more secure information systems and effective risk management •Provides a stable, yet flexible catalog of security controls for information systems
  • NIST SP 800 - 53A
    Security Control Assessment : Provides guidelines for building effective security assessment plans and a set of procedures for assessing the effectiveness of security controls •Helps achieve more secure information systems •Enables more consistent, comparable, and repeatable assessments of security controls •Used in conjunction with NIST SP 800-53 Rev 4
  • NIST SP 800 - 59
    National Security Systems : Assists agencies in determining which of their systems are national security systems •Ensures that agencies receive consistent guidance on the identification of systems that should be governed by national security system requirements
  • NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories)
    Security Category Mapping : Helps agencies consistently map security impact levels to types of: •Information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation) •Information systems (e.g., mission critical, mission support, administrative) -Determines the type of information and alighn with an potential impact level as defined in FIPS-199
  • NIST SP 800 - 70
    Guidelines for Checklists : Describes security configuration checklists and their benefits •Explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists
  • NIST SP 800 - 137
    Continuous Monitoring (Information Security Continuous Monitoring (ISCM) •Provides guidance on defining, establishing, and implementing an ISCM program •Provides guidance on analyzing data and reporting and responding to findings •Enables organizations to move from compliance -driven risk management to data-driven risk management
  • Continuous Monitoring
    Determine if the set of deployed security controls continue to be effective over time in light of change to the information system or environment of operation •Update authorization documents such as —Security Plans —Security Assessment Reports —Plans of Action and Milestones •Assist in maintaining the current authorization •Support decisions on reauthorization
  • RMF Step 1
    -Categorize (Information System Owner/Information Owner) -Describe the information system and document the description in the SSP. (information system owner)/system boundary -Register the system with PMO (ISSO)
  • sensitivity
    A measure of the importance assigned to information by its owner for the purpose of denoting its need for protection.
  • criticality
    A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function
  • Information Inventory and Classification approach
    Mission owner/Business Manager,program manager, everyone. ISSO
  • 4 Step Categorization Process
    Identify Information Types Select Provision Impact levels Review provisional impact levels & adjust/finalize information impact levels assign system security category
  • SSP
    System Owner Writes, but can delegate to ISSO Started in RMF Step 1
  • SSP Contents
    Plan Contents (Table of Contents) System Description - Categorization Description of Controls System Security Roles and Responsibilities System Operational Status and System Types System Environment System Interconnections and Sharing System Certification Level ROB Completion and Approval Dates
  • SSP Appendices
    Risk Assessment PIA (Privacy Officer) System Interconnection Agreements Contingency Plan Security Configurations Configuration Management Plan Incident Response Plan Continuous Monitoring Plan
  • SSP Plan Approval
    Written by system owner Reviewed and approved through AO or designated representative Final approval is through AO or designated rep Normally collaborative back-and-forth relationship
  • System Registration
    Informs parent or governing organization that the system exists, identifies key characteristics, and security implications.
  • The categorize process includes:
    •Prepare for system security categorization •Identify the system's information types •Select the impact value for each information type •Adjust the information type's impact value •Adjust the system's security category •Determine the information system's security impact level •Obtain approval for the system security category and impact level •Maintain system security category and impact level
  • Who Identifies Common Controls?
    CIO/SISO Information Security Architect Common Control Provider
  • Who selects Controls?
    System Owner or Security Architect
  • Determines the strategy for continuous monitoring and changes to the environment
    System Owner or Common Control Provider
  • security controls
    Made up of Safeguards and Countermeasures
  • Counter Measures
    reduce vulnerability
  • Safeguards
    security of physical structures, areas, devices, etc.
  • Minimum Security Baseline (MSB)
    set of standards that are applied enterprise wide to ensure a consistent level of compliance Not system specific and must be augmented by baseline security configuration standards for all technology components that make up the system.
  • SP 800-53, r4 "Security and Privacy Controls for Federal Information Systems and Organizations"
    Provides guidance for selecting and identifying security controls for information systems. 18 security control families - closely aligned with FIPS 200. Includes PM family required by FISMA, (appendix G) No longer devices into Management, Operational, and Technical like FIPS 200.
  • FIPS 200 "Minimum Security Requirements"
    Uses high watermark to to identify baseline security controls to implement. Low Impact = Low Baseline = Annex 1 etc Defines 17 security related areas (CM, MS, etc)
  • Security Control Families
    AC : Access Control AT : Awareness and Training AU : Audit and Accountability CA : Security Assessment and Authorization CM : CP : Contingency Planning IA : Identification and Authentication IR : Incident Response MA : Maintenance MP : Media Protection PE : Physical and Environmental Protection PL : Planning PS : Personnel Security RA : Risk Assessment SA : System and Services Acquisition SC : System and Communications Protection SI : System and Information Integrity PM : Program Management
  • PM : Program Management
    Organization-wide information security program management controls Supporting information security program Not associated with security control baselines Independent of any system impact level, therefore, no control enhancements included
  • Privacy Controls
    NIST SP 800-53 Rev 1 (new to this) Protect any form of PII
  • Privacy Control Families
    AP AR DI DM IP SE TR UL
  • Authority and Purpose (AP)
    Ensures that organizations(i)identify the legal bases that authorize a particular personally identifiable information (PII) collection or activity that impacts privacy(ii) specify in their notices the purpose(s) for which PII is collected
  • Accountability, Audit, and Risk Management (AR)
    Enhances public confidence through effective controls for governance, monitoring, risk management, and assessment to demonstrate that organizations are complying with applicable privacy protection requirements and minimizing overall privacy risk.
  • Data quality and Integrity (DI)
    Enhances public confidence that any personally identifiable information (PII) collected and maintained by organizations is accurate, relevant, timely, and omplete for the purpose for which it is to be used, as specified in public notices
  • Data Minimization and Retention (DM)
    Implements the data minimization and retention requirements to collect, use, and retain only personally identifiable information (PII) that is relevant and necessary for the purpose for which it was originally collected
  • Individual Participation and Redress (IP)
    Addresses the need to make individuals active participants in the decision-making process regarding the collection and use of their personally identifiable information (PII )
  • Security (SE)
    Supplements the security controls in Appendix F to ensure that technical, physical, and administrative safeguards are in place to protect personally identifiable information (PII) collected or maintained by organizations against loss, unauthorized access, or disclosure, and to ensure that planning and responses to privacy incidents comply with OMB policies and guidance
  • Transparency (TR)
    Ensure that organization provide public notice of their information practices and the privacy impact of the their programs and activities.
  • Use Limitation (UL)
    Ensures that organizations only use personally identifiable information (PII) either as specified in their public notices, in a manner compatible with those specified purposes, or as otherwise permitted by law
  • 800-53 Rev 4 Control Catalog Components
    Control section (concise statement of security capabilities required) supplemental guidance section (additional info, but no requirements) control enhancements section (additional functionality) references section (federal laws, EO, directivies, policies, standards, FIPS, OMB, NIS) priority and baseline allocation section for each security control (the initial allocation of security controls for low, medium, high impact IS)
  • Rev4 Priority COdes
    P1 (highest), P2, P3 (lowest), P0 (security control not required for baseline)
  • Security Control Tailoring
    Organization determine controls do not apply integrate compensating controls specify organization defined parameters 800-53
  • Select Process (for controls)
    •Prepare for selecting security controls •Select the initial security control baseline and minimum assurance requirements •Apply scoping guidance •Determine need for compensating controls •Determine appropriate organization-defined values for the identified parameters •Supplement the tailored security control baseline •Determine if additional minimum assurance requirements are needed for moderate -and high-impact systems •Document the selection decisions and update the security plan •Obtain approval of, and agreement with, the security controls
  • Select Controls Process Input
    System Description system security category impact level 800-53 catalog of common controls
  • Select Controls Process Output
    Final, agreed upon set of security controls
  • SP 800-53 Rev 3
    Recommended Security Controls for Federal Information Systems and Organizations
  • SP 800-53A
    Guide for Assessing the Security Controls in Federal Information Systems
  • SP 800-70
    Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers
  • SP 800-34
    Contingency Planning
  • SP 800-61
    Incident Response
  • SP 800-63
    Identification and Authorization
  • SP 800-16/800-50
    Awareness Training
  • SP 800-40
    Patch Management
  • SP 800-41
    Firewall Management
  • SP 800-115
    Provides guidance on basic technical aspects of conducting information security assessments and penetration testing
  • The assessment determines the extent to which the controls are
    • implemented correctly • operating as intended • producing the desired results
  • SP 800-53A
    Provides a NIST process for assessing security controls • Prepare • Develop • Conduct • Analyze
  • SP 800-53AAppendix F
    Provides an assessment strategy for each control listed in NIST SP 800-53
  • Security Assessment Report
    • The report is one of three key documents in the security authorization package developed for authorizing officials. • Includes information from the assessor to determine the effectiveness of the security controls employed within or inherited by the information system based upon the assessor's findings • An important factor in an authorizing official's determination of risk to organizational operations and assets
  • POA&M document identifies
    • Tasks needing to be accomplished • Resources required to accomplish the elements of the plan • Any milestones in meeting the tasks • Scheduled completion dates for the milestones
  • Security Authorization Package
    Documents the results of the security control assessment Provides the Authorizing Official with essential information needed to make a credible, risk-based decision on information system authorization Provides the best indication of • The overall security state of the information system • The ability of the system to protect, to the degree necessary
  • RMF Step 6
    Determine security impact of proposed or actual changes Assess subset of changes Update POAM, SAR, and security plan based on results Report the status Review Implement a decommissioning strategy
  • CNSS Instruction 1253
  • An effective continuous monitoring program includes
    CM and control processes security impact analysis of changes to IS Assessment of security controls secuity status reporting to organizational officials
  • Realtime risk management is facilitate by revisions to
    SSP SAR POAM
  • System Removal and Decommissioning
    Organizational tracking and management systems updated users/application owners notified of security control impact relationships and reviewed/assessed for impact subsystems also removed effects on the overall system due to subsystem removal are assessed
  • Information Security Program
    provides ongoing, up-to-date information about security state and risk posture enables the org to make reliable, risk-based decision provides a process to update SSP, SAR, and POAM
  • Monitoring process includes these tasks
    develop of strategy for monitoring evaluate subset conduct selected remediations update SSP, SAR, POAM
  • RMF Task 5 (authorize)
    prepare POAM (owner) assemble security authorization package and submit to AO (owner) Determine risk (AO/Designated rep) Risk Acceptance (AO) Decision SP 800-37
  • SP 800-30 and 39
    Help to make risk determinations
  • sp 800-37
    provides guideline that define the steps for system authorization
  • Authorization package includes:
    SSP SAR POAM
  • S
  • SSP includes:
    overview of security requirements descriptions of controls in place supporting appendicies : risk assessment, privacy impact assessment, interconnection agreements, contingency plan, security configuration, CM plan, IR plan, Continuous monitoring plan
  • Security Assessment Report provides:
    key info needed for making IS decisions and contains security state and analysis of risk posture Highlights from the risk assessment synopsis of key findings recommendations for addressing weakness and deficiencies
  • Risk Assessment
    the systematic identification and prioritization of risk to IT resources include : analysis of threats, assessment of vulnerabilities and controls in place, calcualation of risk
  • SP 800-30 Rev 1
    Guide for conducting risk assessments
  • SP 800-30 Rev 1 : Steps
    1 : Prepare for Assessment 2 : Conduct Assessment - Identify threat sources and events - identify vulnerabilities - Likelihood determination (threats x vulnerabilities) - Magnitude of impact - determine risk 3 : Communicate Results 4 : Maintain Assessment
  • Authorization Process
    Conduct initial remediation actions Prepare the POAM Assemble authorization package and submit to AO Determine the risks Determine if risk is acceptable